[conspire] Machine rebuild happened on Feb. 1

Rick Moen rick at linuxmafia.com
Tue Feb 8 18:28:22 PST 2005

Hi, Bill!

Quoting William R Ward (bill at wards.net):

> I'm not sure it's as boneheaded as you think.  The purpose of SPF as I
> understand it is to verify that the sender is who they claim to be.

It pretty much has to do that via a check of the envelope sender at the
time of the incoming SMTP connection.  http://spf.pobox.com/faq.html#basics 

  Q: Does it protect the "From:" header field?

  A: SPF was designed to protect the envelope sender. That means the
  return-path that shows up in "MAIL FROM", and to a lesser extent the
  HELO argument that is supposed to be an FQDN.

  The vast majority of SPF implementations today use the return-path as
  the subject of authentication and do not get involved with the header

  Protecting authorship information is an important goal. However, the
  technical issues associated with protecting the "From:" header are much
  more numerous and challenging. The best way to protect the header
  "From:" is by using a cryptographic signature such as S/MIME, PGP, or
  (when it is released) Yahoo DomainKeys.

  If you want to use the "From:" header as the subject of authentication
  with SPF, you need to be familiar with the following:

      * mailing lists
      * /etc/aliases-style forwarding
      * MUA "resend this message to"
      * web-generated email
      * the Sender header
      * the Resent-Sender and Resent-From headers 

The spfd implementation I have (Debian libmail-spf-query-perl package
version 1.996-1) unfortunately rejected as originating from an
"unauthorized MX" (paraphrasing) my _own_ posts to mailing lists on
various third-party hosts, as well as Heather Stern's posts to the
BayLISA administrative list, as well as all pieces of mail generated by
my own /etc/aliases file.  All of that resulted from it relying on
the mail-internal "From:" header rather than the envelope "From" one.

More information about the conspire mailing list